Safety CI > vertexproject/vtx-base-image

master

1 year, 10 months ago

e1297ed7

Update webcolors from 1.13 to 24.6.0 (#653)

pyOpenSSL 24.1.0 has known security vulnerabilities.

Package	Installed	Affected	Info
pyOpenSSL	24.1.0	>=0.14.0,<26.0.0	show Affected versions of the pyOpenSSL package are vulnerable to Improper Input Validation due to a failure to securely handle exceptions in a user-supplied callback. The set_tlsext_servername_callback API accepts a callback that, in affected versions, allows an unhandled exception to cause the TLS connection to be accepted instead of rejected, creating a fail-open condition in any security-sensitive logic implemented in that callback.
pyOpenSSL	24.1.0	>=22.0.0,<26.0.0	show Affected versions of the pyOpenSSL package are vulnerable to Classic Buffer Overflow due to missing length validation on DTLS cookie values returned by a user-provided callback. The vulnerability is in the DTLS cookie generation path that uses set_cookie_generate_callback, where pyOpenSSL passes the callback’s return value into an OpenSSL-provided buffer without rejecting values longer than 256 bytes.

Package

Installed

Affected

Info

pyOpenSSL

24.1.0

>=0.14.0,<26.0.0

show

Affected versions of the pyOpenSSL package are vulnerable to Improper Input Validation due to a failure to securely handle exceptions in a user-supplied callback. The set_tlsext_servername_callback API accepts a callback that, in affected versions, allows an unhandled exception to cause the TLS connection to be accepted instead of rejected, creating a fail-open condition in any security-sensitive logic implemented in that callback.

pyOpenSSL

24.1.0

>=22.0.0,<26.0.0

show

Affected versions of the pyOpenSSL package are vulnerable to Classic Buffer Overflow due to missing length validation on DTLS cookie values returned by a user-provided callback. The vulnerability is in the DTLS cookie generation path that uses set_cookie_generate_callback, where pyOpenSSL passes the callback’s return value into an OpenSSL-provided buffer without rejecting values longer than 256 bytes.

master

1 year, 10 months ago

2256a08b

Update cbor2 from 5.6.3 to 5.6.4 (#654)

pyOpenSSL 24.1.0 has known security vulnerabilities.

Package	Installed	Affected	Info
pyOpenSSL	24.1.0	>=0.14.0,<26.0.0	show Affected versions of the pyOpenSSL package are vulnerable to Improper Input Validation due to a failure to securely handle exceptions in a user-supplied callback. The set_tlsext_servername_callback API accepts a callback that, in affected versions, allows an unhandled exception to cause the TLS connection to be accepted instead of rejected, creating a fail-open condition in any security-sensitive logic implemented in that callback.
pyOpenSSL	24.1.0	>=22.0.0,<26.0.0	show Affected versions of the pyOpenSSL package are vulnerable to Classic Buffer Overflow due to missing length validation on DTLS cookie values returned by a user-provided callback. The vulnerability is in the DTLS cookie generation path that uses set_cookie_generate_callback, where pyOpenSSL passes the callback’s return value into an OpenSSL-provided buffer without rejecting values longer than 256 bytes.

Package

Installed

Affected

Info

pyOpenSSL

24.1.0

>=0.14.0,<26.0.0

show

Affected versions of the pyOpenSSL package are vulnerable to Improper Input Validation due to a failure to securely handle exceptions in a user-supplied callback. The set_tlsext_servername_callback API accepts a callback that, in affected versions, allows an unhandled exception to cause the TLS connection to be accepted instead of rejected, creating a fail-open condition in any security-sensitive logic implemented in that callback.

pyOpenSSL

24.1.0

>=22.0.0,<26.0.0

show

Affected versions of the pyOpenSSL package are vulnerable to Classic Buffer Overflow due to missing length validation on DTLS cookie values returned by a user-provided callback. The vulnerability is in the DTLS cookie generation path that uses set_cookie_generate_callback, where pyOpenSSL passes the callback’s return value into an OpenSSL-provided buffer without rejecting values longer than 256 bytes.

master

1 year, 10 months ago

cd00a755

Update beautifulsoup4 from 4.12.2 to 4.12.3 (#561) Co-authored-by: vEpiphyte <epiphyte@vertex.link>

pyOpenSSL 24.1.0 has known security vulnerabilities.

Package	Installed	Affected	Info
pyOpenSSL	24.1.0	>=0.14.0,<26.0.0	show Affected versions of the pyOpenSSL package are vulnerable to Improper Input Validation due to a failure to securely handle exceptions in a user-supplied callback. The set_tlsext_servername_callback API accepts a callback that, in affected versions, allows an unhandled exception to cause the TLS connection to be accepted instead of rejected, creating a fail-open condition in any security-sensitive logic implemented in that callback.
pyOpenSSL	24.1.0	>=22.0.0,<26.0.0	show Affected versions of the pyOpenSSL package are vulnerable to Classic Buffer Overflow due to missing length validation on DTLS cookie values returned by a user-provided callback. The vulnerability is in the DTLS cookie generation path that uses set_cookie_generate_callback, where pyOpenSSL passes the callback’s return value into an OpenSSL-provided buffer without rejecting values longer than 256 bytes.

Package

Installed

Affected

Info

pyOpenSSL

24.1.0

>=0.14.0,<26.0.0

show

Affected versions of the pyOpenSSL package are vulnerable to Improper Input Validation due to a failure to securely handle exceptions in a user-supplied callback. The set_tlsext_servername_callback API accepts a callback that, in affected versions, allows an unhandled exception to cause the TLS connection to be accepted instead of rejected, creating a fail-open condition in any security-sensitive logic implemented in that callback.

pyOpenSSL

24.1.0

>=22.0.0,<26.0.0

show

Affected versions of the pyOpenSSL package are vulnerable to Classic Buffer Overflow due to missing length validation on DTLS cookie values returned by a user-provided callback. The vulnerability is in the DTLS cookie generation path that uses set_cookie_generate_callback, where pyOpenSSL passes the callback’s return value into an OpenSSL-provided buffer without rejecting values longer than 256 bytes.

master

1 year, 10 months ago

9a6ffcee

Update certifi from 2024.2.2 to 2024.6.2 (#649)

pyOpenSSL 24.1.0 has known security vulnerabilities.

Package	Installed	Affected	Info
pyOpenSSL	24.1.0	>=0.14.0,<26.0.0	show Affected versions of the pyOpenSSL package are vulnerable to Improper Input Validation due to a failure to securely handle exceptions in a user-supplied callback. The set_tlsext_servername_callback API accepts a callback that, in affected versions, allows an unhandled exception to cause the TLS connection to be accepted instead of rejected, creating a fail-open condition in any security-sensitive logic implemented in that callback.
pyOpenSSL	24.1.0	>=22.0.0,<26.0.0	show Affected versions of the pyOpenSSL package are vulnerable to Classic Buffer Overflow due to missing length validation on DTLS cookie values returned by a user-provided callback. The vulnerability is in the DTLS cookie generation path that uses set_cookie_generate_callback, where pyOpenSSL passes the callback’s return value into an OpenSSL-provided buffer without rejecting values longer than 256 bytes.

Package

Installed

Affected

Info

pyOpenSSL

24.1.0

>=0.14.0,<26.0.0

show

Affected versions of the pyOpenSSL package are vulnerable to Improper Input Validation due to a failure to securely handle exceptions in a user-supplied callback. The set_tlsext_servername_callback API accepts a callback that, in affected versions, allows an unhandled exception to cause the TLS connection to be accepted instead of rejected, creating a fail-open condition in any security-sensitive logic implemented in that callback.

pyOpenSSL

24.1.0

>=22.0.0,<26.0.0

show

Affected versions of the pyOpenSSL package are vulnerable to Classic Buffer Overflow due to missing length validation on DTLS cookie values returned by a user-provided callback. The vulnerability is in the DTLS cookie generation path that uses set_cookie_generate_callback, where pyOpenSSL passes the callback’s return value into an OpenSSL-provided buffer without rejecting values longer than 256 bytes.

pyup-update-prompt-toolkit-3.0.43-to-3.0.47

1 year, 10 months ago

af5a273c

Update prompt-toolkit from 3.0.43 to 3.0.47

pyOpenSSL 24.1.0 has known security vulnerabilities.

Package	Installed	Affected	Info
pyOpenSSL	24.1.0	>=0.14.0,<26.0.0	show Affected versions of the pyOpenSSL package are vulnerable to Improper Input Validation due to a failure to securely handle exceptions in a user-supplied callback. The set_tlsext_servername_callback API accepts a callback that, in affected versions, allows an unhandled exception to cause the TLS connection to be accepted instead of rejected, creating a fail-open condition in any security-sensitive logic implemented in that callback.
pyOpenSSL	24.1.0	>=22.0.0,<26.0.0	show Affected versions of the pyOpenSSL package are vulnerable to Classic Buffer Overflow due to missing length validation on DTLS cookie values returned by a user-provided callback. The vulnerability is in the DTLS cookie generation path that uses set_cookie_generate_callback, where pyOpenSSL passes the callback’s return value into an OpenSSL-provided buffer without rejecting values longer than 256 bytes.

Package

Installed

Affected

Info

pyOpenSSL

24.1.0

>=0.14.0,<26.0.0

show

Affected versions of the pyOpenSSL package are vulnerable to Improper Input Validation due to a failure to securely handle exceptions in a user-supplied callback. The set_tlsext_servername_callback API accepts a callback that, in affected versions, allows an unhandled exception to cause the TLS connection to be accepted instead of rejected, creating a fail-open condition in any security-sensitive logic implemented in that callback.

pyOpenSSL

24.1.0

>=22.0.0,<26.0.0

show

Affected versions of the pyOpenSSL package are vulnerable to Classic Buffer Overflow due to missing length validation on DTLS cookie values returned by a user-provided callback. The vulnerability is in the DTLS cookie generation path that uses set_cookie_generate_callback, where pyOpenSSL passes the callback’s return value into an OpenSSL-provided buffer without rejecting values longer than 256 bytes.

master

1 year, 10 months ago

c933346d

Update tornado from 6.4 to 6.4.1 (#655)

pyOpenSSL 24.1.0 has known security vulnerabilities.

Package	Installed	Affected	Info
pyOpenSSL	24.1.0	>=0.14.0,<26.0.0	show Affected versions of the pyOpenSSL package are vulnerable to Improper Input Validation due to a failure to securely handle exceptions in a user-supplied callback. The set_tlsext_servername_callback API accepts a callback that, in affected versions, allows an unhandled exception to cause the TLS connection to be accepted instead of rejected, creating a fail-open condition in any security-sensitive logic implemented in that callback.
pyOpenSSL	24.1.0	>=22.0.0,<26.0.0	show Affected versions of the pyOpenSSL package are vulnerable to Classic Buffer Overflow due to missing length validation on DTLS cookie values returned by a user-provided callback. The vulnerability is in the DTLS cookie generation path that uses set_cookie_generate_callback, where pyOpenSSL passes the callback’s return value into an OpenSSL-provided buffer without rejecting values longer than 256 bytes.

Package

Installed

Affected

Info

pyOpenSSL

24.1.0

>=0.14.0,<26.0.0

show

Affected versions of the pyOpenSSL package are vulnerable to Improper Input Validation due to a failure to securely handle exceptions in a user-supplied callback. The set_tlsext_servername_callback API accepts a callback that, in affected versions, allows an unhandled exception to cause the TLS connection to be accepted instead of rejected, creating a fail-open condition in any security-sensitive logic implemented in that callback.

pyOpenSSL

24.1.0

>=22.0.0,<26.0.0

show

Affected versions of the pyOpenSSL package are vulnerable to Classic Buffer Overflow due to missing length validation on DTLS cookie values returned by a user-provided callback. The vulnerability is in the DTLS cookie generation path that uses set_cookie_generate_callback, where pyOpenSSL passes the callback’s return value into an OpenSSL-provided buffer without rejecting values longer than 256 bytes.

pyup-update-packaging-23.2-to-24.1

1 year, 10 months ago

c771b5e1

Update packaging from 23.2 to 24.1

pyOpenSSL 24.1.0 has known security vulnerabilities.

Package	Installed	Affected	Info
pyOpenSSL	24.1.0	>=0.14.0,<26.0.0	show Affected versions of the pyOpenSSL package are vulnerable to Improper Input Validation due to a failure to securely handle exceptions in a user-supplied callback. The set_tlsext_servername_callback API accepts a callback that, in affected versions, allows an unhandled exception to cause the TLS connection to be accepted instead of rejected, creating a fail-open condition in any security-sensitive logic implemented in that callback.
pyOpenSSL	24.1.0	>=22.0.0,<26.0.0	show Affected versions of the pyOpenSSL package are vulnerable to Classic Buffer Overflow due to missing length validation on DTLS cookie values returned by a user-provided callback. The vulnerability is in the DTLS cookie generation path that uses set_cookie_generate_callback, where pyOpenSSL passes the callback’s return value into an OpenSSL-provided buffer without rejecting values longer than 256 bytes.

Package

Installed

Affected

Info

pyOpenSSL

24.1.0

>=0.14.0,<26.0.0

show

Affected versions of the pyOpenSSL package are vulnerable to Improper Input Validation due to a failure to securely handle exceptions in a user-supplied callback. The set_tlsext_servername_callback API accepts a callback that, in affected versions, allows an unhandled exception to cause the TLS connection to be accepted instead of rejected, creating a fail-open condition in any security-sensitive logic implemented in that callback.

pyOpenSSL

24.1.0

>=22.0.0,<26.0.0

show

Affected versions of the pyOpenSSL package are vulnerable to Classic Buffer Overflow due to missing length validation on DTLS cookie values returned by a user-provided callback. The vulnerability is in the DTLS cookie generation path that uses set_cookie_generate_callback, where pyOpenSSL passes the callback’s return value into an OpenSSL-provided buffer without rejecting values longer than 256 bytes.

pyup-update-typing-extensions-4.9.0-to-4.12.2

1 year, 10 months ago

084f6f9c

Update typing-extensions from 4.9.0 to 4.12.2

pyOpenSSL 24.1.0 has known security vulnerabilities.

Package	Installed	Affected	Info
pyOpenSSL	24.1.0	>=0.14.0,<26.0.0	show Affected versions of the pyOpenSSL package are vulnerable to Improper Input Validation due to a failure to securely handle exceptions in a user-supplied callback. The set_tlsext_servername_callback API accepts a callback that, in affected versions, allows an unhandled exception to cause the TLS connection to be accepted instead of rejected, creating a fail-open condition in any security-sensitive logic implemented in that callback.
pyOpenSSL	24.1.0	>=22.0.0,<26.0.0	show Affected versions of the pyOpenSSL package are vulnerable to Classic Buffer Overflow due to missing length validation on DTLS cookie values returned by a user-provided callback. The vulnerability is in the DTLS cookie generation path that uses set_cookie_generate_callback, where pyOpenSSL passes the callback’s return value into an OpenSSL-provided buffer without rejecting values longer than 256 bytes.

Package

Installed

Affected

Info

pyOpenSSL

24.1.0

>=0.14.0,<26.0.0

show

Affected versions of the pyOpenSSL package are vulnerable to Improper Input Validation due to a failure to securely handle exceptions in a user-supplied callback. The set_tlsext_servername_callback API accepts a callback that, in affected versions, allows an unhandled exception to cause the TLS connection to be accepted instead of rejected, creating a fail-open condition in any security-sensitive logic implemented in that callback.

pyOpenSSL

24.1.0

>=22.0.0,<26.0.0

show

Affected versions of the pyOpenSSL package are vulnerable to Classic Buffer Overflow due to missing length validation on DTLS cookie values returned by a user-provided callback. The vulnerability is in the DTLS cookie generation path that uses set_cookie_generate_callback, where pyOpenSSL passes the callback’s return value into an OpenSSL-provided buffer without rejecting values longer than 256 bytes.

pyup-update-tornado-6.4-to-6.4.1

1 year, 10 months ago

1ee6375e

Update tornado from 6.4 to 6.4.1

pyOpenSSL 24.1.0 has known security vulnerabilities.

Package	Installed	Affected	Info
pyOpenSSL	24.1.0	>=0.14.0,<26.0.0	show Affected versions of the pyOpenSSL package are vulnerable to Improper Input Validation due to a failure to securely handle exceptions in a user-supplied callback. The set_tlsext_servername_callback API accepts a callback that, in affected versions, allows an unhandled exception to cause the TLS connection to be accepted instead of rejected, creating a fail-open condition in any security-sensitive logic implemented in that callback.
pyOpenSSL	24.1.0	>=22.0.0,<26.0.0	show Affected versions of the pyOpenSSL package are vulnerable to Classic Buffer Overflow due to missing length validation on DTLS cookie values returned by a user-provided callback. The vulnerability is in the DTLS cookie generation path that uses set_cookie_generate_callback, where pyOpenSSL passes the callback’s return value into an OpenSSL-provided buffer without rejecting values longer than 256 bytes.

Package

Installed

Affected

Info

pyOpenSSL

24.1.0

>=0.14.0,<26.0.0

show

Affected versions of the pyOpenSSL package are vulnerable to Improper Input Validation due to a failure to securely handle exceptions in a user-supplied callback. The set_tlsext_servername_callback API accepts a callback that, in affected versions, allows an unhandled exception to cause the TLS connection to be accepted instead of rejected, creating a fail-open condition in any security-sensitive logic implemented in that callback.

pyOpenSSL

24.1.0

>=22.0.0,<26.0.0

show

Affected versions of the pyOpenSSL package are vulnerable to Classic Buffer Overflow due to missing length validation on DTLS cookie values returned by a user-provided callback. The vulnerability is in the DTLS cookie generation path that uses set_cookie_generate_callback, where pyOpenSSL passes the callback’s return value into an OpenSSL-provided buffer without rejecting values longer than 256 bytes.

pyup-update-cbor2-5.6.3-to-5.6.4

1 year, 10 months ago

3a9b2cb8

Update cbor2 from 5.6.3 to 5.6.4

pyOpenSSL 24.1.0 has known security vulnerabilities.

Package	Installed	Affected	Info
pyOpenSSL	24.1.0	>=0.14.0,<26.0.0	show Affected versions of the pyOpenSSL package are vulnerable to Improper Input Validation due to a failure to securely handle exceptions in a user-supplied callback. The set_tlsext_servername_callback API accepts a callback that, in affected versions, allows an unhandled exception to cause the TLS connection to be accepted instead of rejected, creating a fail-open condition in any security-sensitive logic implemented in that callback.
pyOpenSSL	24.1.0	>=22.0.0,<26.0.0	show Affected versions of the pyOpenSSL package are vulnerable to Classic Buffer Overflow due to missing length validation on DTLS cookie values returned by a user-provided callback. The vulnerability is in the DTLS cookie generation path that uses set_cookie_generate_callback, where pyOpenSSL passes the callback’s return value into an OpenSSL-provided buffer without rejecting values longer than 256 bytes.

Package

Installed

Affected

Info

pyOpenSSL

24.1.0

>=0.14.0,<26.0.0

show

Affected versions of the pyOpenSSL package are vulnerable to Improper Input Validation due to a failure to securely handle exceptions in a user-supplied callback. The set_tlsext_servername_callback API accepts a callback that, in affected versions, allows an unhandled exception to cause the TLS connection to be accepted instead of rejected, creating a fail-open condition in any security-sensitive logic implemented in that callback.

pyOpenSSL

24.1.0

>=22.0.0,<26.0.0

show

Affected versions of the pyOpenSSL package are vulnerable to Classic Buffer Overflow due to missing length validation on DTLS cookie values returned by a user-provided callback. The vulnerability is in the DTLS cookie generation path that uses set_cookie_generate_callback, where pyOpenSSL passes the callback’s return value into an OpenSSL-provided buffer without rejecting values longer than 256 bytes.

pyup-update-webcolors-1.13-to-24.6.0

1 year, 10 months ago

2a65ced9

Update webcolors from 1.13 to 24.6.0

pyOpenSSL 24.1.0 has known security vulnerabilities.

Package	Installed	Affected	Info
pyOpenSSL	24.1.0	>=0.14.0,<26.0.0	show Affected versions of the pyOpenSSL package are vulnerable to Improper Input Validation due to a failure to securely handle exceptions in a user-supplied callback. The set_tlsext_servername_callback API accepts a callback that, in affected versions, allows an unhandled exception to cause the TLS connection to be accepted instead of rejected, creating a fail-open condition in any security-sensitive logic implemented in that callback.
pyOpenSSL	24.1.0	>=22.0.0,<26.0.0	show Affected versions of the pyOpenSSL package are vulnerable to Classic Buffer Overflow due to missing length validation on DTLS cookie values returned by a user-provided callback. The vulnerability is in the DTLS cookie generation path that uses set_cookie_generate_callback, where pyOpenSSL passes the callback’s return value into an OpenSSL-provided buffer without rejecting values longer than 256 bytes.

Package

Installed

Affected

Info

pyOpenSSL

24.1.0

>=0.14.0,<26.0.0

show

Affected versions of the pyOpenSSL package are vulnerable to Improper Input Validation due to a failure to securely handle exceptions in a user-supplied callback. The set_tlsext_servername_callback API accepts a callback that, in affected versions, allows an unhandled exception to cause the TLS connection to be accepted instead of rejected, creating a fail-open condition in any security-sensitive logic implemented in that callback.

pyOpenSSL

24.1.0

>=22.0.0,<26.0.0

show

Affected versions of the pyOpenSSL package are vulnerable to Classic Buffer Overflow due to missing length validation on DTLS cookie values returned by a user-provided callback. The vulnerability is in the DTLS cookie generation path that uses set_cookie_generate_callback, where pyOpenSSL passes the callback’s return value into an OpenSSL-provided buffer without rejecting values longer than 256 bytes.

master

1 year, 10 months ago

3e7318e7

Update urllib3 from 2.1.0 to 2.2.1 (#586) Co-authored-by: vEpiphyte <epiphyte@vertex.link>

pyOpenSSL 24.1.0 has known security vulnerabilities.

Package	Installed	Affected	Info
pyOpenSSL	24.1.0	>=0.14.0,<26.0.0	show Affected versions of the pyOpenSSL package are vulnerable to Improper Input Validation due to a failure to securely handle exceptions in a user-supplied callback. The set_tlsext_servername_callback API accepts a callback that, in affected versions, allows an unhandled exception to cause the TLS connection to be accepted instead of rejected, creating a fail-open condition in any security-sensitive logic implemented in that callback.
pyOpenSSL	24.1.0	>=22.0.0,<26.0.0	show Affected versions of the pyOpenSSL package are vulnerable to Classic Buffer Overflow due to missing length validation on DTLS cookie values returned by a user-provided callback. The vulnerability is in the DTLS cookie generation path that uses set_cookie_generate_callback, where pyOpenSSL passes the callback’s return value into an OpenSSL-provided buffer without rejecting values longer than 256 bytes.

Package

Installed

Affected

Info

pyOpenSSL

24.1.0

>=0.14.0,<26.0.0

show

Affected versions of the pyOpenSSL package are vulnerable to Improper Input Validation due to a failure to securely handle exceptions in a user-supplied callback. The set_tlsext_servername_callback API accepts a callback that, in affected versions, allows an unhandled exception to cause the TLS connection to be accepted instead of rejected, creating a fail-open condition in any security-sensitive logic implemented in that callback.

pyOpenSSL

24.1.0

>=22.0.0,<26.0.0

show

Affected versions of the pyOpenSSL package are vulnerable to Classic Buffer Overflow due to missing length validation on DTLS cookie values returned by a user-provided callback. The vulnerability is in the DTLS cookie generation path that uses set_cookie_generate_callback, where pyOpenSSL passes the callback’s return value into an OpenSSL-provided buffer without rejecting values longer than 256 bytes.

master

1 year, 10 months ago

f5f7bc3f

Update requests from 2.31.0 to 2.32.3 (#646)

pyOpenSSL 24.1.0 has known security vulnerabilities.

Package	Installed	Affected	Info
pyOpenSSL	24.1.0	>=0.14.0,<26.0.0	show Affected versions of the pyOpenSSL package are vulnerable to Improper Input Validation due to a failure to securely handle exceptions in a user-supplied callback. The set_tlsext_servername_callback API accepts a callback that, in affected versions, allows an unhandled exception to cause the TLS connection to be accepted instead of rejected, creating a fail-open condition in any security-sensitive logic implemented in that callback.
pyOpenSSL	24.1.0	>=22.0.0,<26.0.0	show Affected versions of the pyOpenSSL package are vulnerable to Classic Buffer Overflow due to missing length validation on DTLS cookie values returned by a user-provided callback. The vulnerability is in the DTLS cookie generation path that uses set_cookie_generate_callback, where pyOpenSSL passes the callback’s return value into an OpenSSL-provided buffer without rejecting values longer than 256 bytes.

Package

Installed

Affected

Info

pyOpenSSL

24.1.0

>=0.14.0,<26.0.0

show

Affected versions of the pyOpenSSL package are vulnerable to Improper Input Validation due to a failure to securely handle exceptions in a user-supplied callback. The set_tlsext_servername_callback API accepts a callback that, in affected versions, allows an unhandled exception to cause the TLS connection to be accepted instead of rejected, creating a fail-open condition in any security-sensitive logic implemented in that callback.

pyOpenSSL

24.1.0

>=22.0.0,<26.0.0

show

Affected versions of the pyOpenSSL package are vulnerable to Classic Buffer Overflow due to missing length validation on DTLS cookie values returned by a user-provided callback. The vulnerability is in the DTLS cookie generation path that uses set_cookie_generate_callback, where pyOpenSSL passes the callback’s return value into an OpenSSL-provided buffer without rejecting values longer than 256 bytes.

master

1 year, 10 months ago

1235f464

Update scalecodec from 1.2.7 to 1.2.9 (#647)

requests 2.31.0 and pyOpenSSL 24.1.0 have known security vulnerabilities.

Package	Installed	Affected	Info
requests	2.31.0	<2.32.4	show Requests is an HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on one's Requests Session.
requests	2.31.0	<2.33.0	show Affected versions of the requests package are vulnerable to Insecure Temporary File reuse due to predictable temporary filename generation in extract_zipped_paths(). The requests.utils.extract_zipped_paths() utility extracts files from zip archives into the system temporary directory using a deterministic path, and if that file already exists, the function reuses it without validating that it is the expected extracted content.
requests	2.31.0	<2.32.2	show Affected versions of Requests, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. Requests 2.32.0 fixes the issue, but versions 2.32.0 and 2.32.1 were yanked due to conflicts with CVE-2024-35195 mitigation.
pyOpenSSL	24.1.0	>=0.14.0,<26.0.0	show Affected versions of the pyOpenSSL package are vulnerable to Improper Input Validation due to a failure to securely handle exceptions in a user-supplied callback. The set_tlsext_servername_callback API accepts a callback that, in affected versions, allows an unhandled exception to cause the TLS connection to be accepted instead of rejected, creating a fail-open condition in any security-sensitive logic implemented in that callback.
pyOpenSSL	24.1.0	>=22.0.0,<26.0.0	show Affected versions of the pyOpenSSL package are vulnerable to Classic Buffer Overflow due to missing length validation on DTLS cookie values returned by a user-provided callback. The vulnerability is in the DTLS cookie generation path that uses set_cookie_generate_callback, where pyOpenSSL passes the callback’s return value into an OpenSSL-provided buffer without rejecting values longer than 256 bytes.

master

1 year, 10 months ago

ec81b5fb

Update cryptography from 42.0.7 to 42.0.8 (#652)

requests 2.31.0, pyOpenSSL 24.1.0 and scalecodec 1.2.7 have known security vulnerabilities.

Package	Installed	Affected	Info
requests	2.31.0	<2.32.4	show Requests is an HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on one's Requests Session.
requests	2.31.0	<2.33.0	show Affected versions of the requests package are vulnerable to Insecure Temporary File reuse due to predictable temporary filename generation in extract_zipped_paths(). The requests.utils.extract_zipped_paths() utility extracts files from zip archives into the system temporary directory using a deterministic path, and if that file already exists, the function reuses it without validating that it is the expected extracted content.
requests	2.31.0	<2.32.2	show Affected versions of Requests, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. Requests 2.32.0 fixes the issue, but versions 2.32.0 and 2.32.1 were yanked due to conflicts with CVE-2024-35195 mitigation.
pyOpenSSL	24.1.0	>=0.14.0,<26.0.0	show Affected versions of the pyOpenSSL package are vulnerable to Improper Input Validation due to a failure to securely handle exceptions in a user-supplied callback. The set_tlsext_servername_callback API accepts a callback that, in affected versions, allows an unhandled exception to cause the TLS connection to be accepted instead of rejected, creating a fail-open condition in any security-sensitive logic implemented in that callback.
pyOpenSSL	24.1.0	>=22.0.0,<26.0.0	show Affected versions of the pyOpenSSL package are vulnerable to Classic Buffer Overflow due to missing length validation on DTLS cookie values returned by a user-provided callback. The vulnerability is in the DTLS cookie generation path that uses set_cookie_generate_callback, where pyOpenSSL passes the callback’s return value into an OpenSSL-provided buffer without rejecting values longer than 256 bytes.
scalecodec	1.2.7	<1.2.9	show Scalecodec version 1.2.9 removes the py library from its dependencies to address the security vulnerability identified as CVE-2022-42969.